Home page logo
/

snort logo Snort mailing list archives

Re: reputation preprocessor and IDS
From: waldo kitty <wkitty42 () windstream net>
Date: Tue, 04 Jun 2013 21:14:23 -0400

On 6/4/2013 18:20, Joel Esler wrote:
On Jun 4, 2013, at 4:04 PM, waldo kitty <wkitty42 () windstream net> wrote:
i'll have to dig and see if there is/was a bug that was fixed from 2.9.4.1
to the latest snort versions... i whitelisted a CIDR block and they still
generate alerts... specifically, we saw alerts on 129:20 when snort was
reloading after setting the CIDR block in the whitelist file and bouncing
snort with a complete exit and startup... we've also seen 128:4 when
sshing into that sensor on a non-standard port but we DO have that
non-standard port listed in the ssh config section of snort.conf... these
alerts happen for only a short time and then snort seems to settle down and
stop issuing them even though those same connections are still active or
being terminated and restarted again...

Whitelist doesn't mean "totally ignore these hosts", whitelist is used in
the term of "these things in this whitelist? yeah, they /never/ get
blacklisted"

that makes a difference... but how does it truly affect things in IDS mode? i 
can see how it affects things in IPS mode where snort has to allow or disallow 
the passage of the data packets but in IDS mode snort is passive as far as the 
traffic flowing thru... other than raising an alert... isn't it?? so it would 
seem that a whitelist entry would tell snort to not alert on that IP...

If you want to ignore a host, bpf it out like normal.

ahhh... yeah... bpf is not part of our distributed methodology... it adds too 
much more to go wrong because someone didn't understand thing properly... 
normally i'd just threshold the IP so that it passes everything... i think 
that's how it has been done in the past isn't it?

in any case, it is one of our users that was trying this method so as to prevent 
alerts from even happening on the named IP... i'm just following up on the whys 
and wherefores as to why it did not work the way they (and many of us) thought 
it did...

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault